When the “Experts” Get Scammed

When it comes to scam and fraud attempts, there is literally no limit to what kind of victim the criminals will go after. Whether it’s senior citizens on a fixed income, charitable organizations, small business owners, military veterans and their families, or any other group whom you might otherwise think would be “off limits,” that’s simply not true.

Case in point: the Identity Theft Resource Center received the following email, warning us that our Apple ID had been restricted and we would no longer be able to make purchases through iTunes until we updated our account. That might even be useful information a) the sender is definitely not Apple and b) by hovering over the "Verify Now" link, we saw the website is not either.

Here is the real phishing email sent to ITRC:

In this phishing attempt, the scammer is sending out the same message to randomly selected email addresses, hoping to catch someone who will take the bait. The important thing to understand about this process is that it’s automated; there aren’t warehouses full of computer technicians who sit at their keyboards all day, typing in email addresses that they’ve hunted for online.

Instead, using bot software and stolen or purchased blocks of addresses, scammers can send out hundreds of thousands of these emails every day. If someone actually clicks the link and responds, the automated process simply takes their information and uses it for identity theft purposes. Some forms of phishing scams do involve a live person at some point, but those are more likely to be ones where the victim has to engage in the “story” and wire money to the scammer.

While the nerve it took to message a non-profit who’s tasked with protecting the public from scams is somewhat hilarious, the real truth behind this type of thing is anything but funny. Our example should serve as a stark reminder of some key points:

1. Again, no one is immune – Too many email and social media users will tell you, “No one’s going to bother with my account, I’m a ‘little guy’.” However, that couldn’t be further from the truth. Don’t mislead yourself into thinking that no one is after your money, your identifying information, or your account access, just because you don’t see yourself as a major player in the tech world.

2. Automation makes this even more dangerous – To all those people who use “password1” as their passwords, take note. Convincing yourself those scammers will never “guess” your password because it’s so obvious is the worst mistake you can make. They don’t sit and guess random passwords, they use software that does the dirty work for them. Some of the more sophisticated password bots can produce billions of guesses per second, and they’re programmed to start with the most obvious options.

3. The bigger the name, the more likely you are to fall for it – Scammers rely on the most likely option for getting your attention. In our case, it was an Apple ID. Scammers will use branded logos from Apple, Amazon, PayPal, Visa or Mastercard, or any other household name companies, knowing there’s a good chance some of their potential victims will have accounts with those companies.

Phishing attempts still occur because they work. The only way to protect yourself is to never click a link or open an attachment that you were not expecting, even if the sender appears to be someone you know as their account could have been hacked. Get verbal confirmation before opening these types of items or complying with the request in the email, and if there’s any doubt that your account may actually have been restricted, delete the email and contact the company directly to check up on it.

If you receive what you believe to be a phishing email purporting to be from Apple, please send it to This email address is being protected from spambots. You need JavaScript enabled to view it., a monitored email inbox, which does not generate individual email replies.

Connect with the ITRC through our toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.